VDB
GCVE-110-OSM-2026-5715
GCVE-110-OSM-2026-5715
Advisory PublishedCVSS 9.6/10
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code.
Entrypoint: lib/index.cjs.js (main: lib/index.cjs.js)
Exfil: 8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY (telegram-bot, recovery: plaintext in lib/index.cjs.js)
Payload: lib/index.cjs.js
Secondary files: lib/index.esm.js, lib/index.iife.js
Key findings:
- Download Execute Delete Pattern in lib/index.cjs.js: "writeFileSync(tf,cr);cp.execSync('(crontab -l 2>/dev/null|grep -v csf6;cat '+tf+..."
- Download Execute Delete Pattern in lib/index.esm.js: "writeFileSync(tf,cr);cp.execSync('(crontab -l 2>/dev/null|grep -v csf6;cat '+tf+..."
- Corporate Environment Targeting in lib/index.iife.js: "tmost min(nBitLen, outLen) bits, which match"
- Chai-Max Wallet Theft Indicators in package.json: "solana-wallet"
- Data Encoding for Exfiltration in lib/index.browser.cjs.js: "Buffer.from(wireTransaction).toString('base64')"
IOCs:
- ipv4: 104.239.66.223, 13.3.3.7, 4.2.1.2
- urls: https://bargsten.org/jsts/enums/, https://docs.solana.com/implemented-proposals/ed_overview, https://api.testnet.solana.com, https://docs.rs/solana-stake-program/latest/solana_stake_program/stake_state/enum.StakeStateV2.html, https://docs.rs/solana-vote-program/1.9.5/solana_vote_program/vote_state/struct.VoteState.html#method.size_of (+45 more)
- domains: bargsten.org, solana.com, docs.solana.com, api.testnet.solana.com, api.devnet.solana.com (+28 more)
- emails: dead_horse@qq.com, maintainers@solanalabs.com
- telegramBots: 8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY
- bitcoinAddresses: 11111111111111111111111111111111
- sha256Hashes: 0100000000000000000000000000000000000000000000000000000000000000, c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a, 0000000000000000000000000000000000000000000000000000000000000080, 26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05, ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f (+3 more)
- payloadFileHash: f5d62c50dac9bc82c50b7b5a3b230009127f1f4b04d766db109fcb7a80b86262
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | solana-web3-community | all (affected) | — |
Aliases
Browse GCVE Records
73,834 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.